<?php

// --------------------------------------------------------------------- //
// FLASH Change user's personal details V1.0 build 20020518              //
// --------------------------------------------------------------------- //
// IN: username, action = "read"                                         //
//     OR                                                                //
//     username,passwo<input type="image" src="">rd1,password2,firstname,surname,email,address,     //
//     company, telephone, action = "apply"                              //
// OUT: username,password,firstname,surname,email,address,company,teleph //
//      update="true" | "false", message                                 //
// --------------------------------------------------------------------- //
// NOTES: - you may need to edit the $changelogFile variable to point to //
//          a directory with read/write access for PHP                   //
//        - this script is intended for simple users, not administrators //
//          as status, security level, expiry and module can't be change //
// --------------------------------------------------------------------- //

    // connection variables -----------------------------------------------
    $mysqlServer   = "66.226.14.61";
    $mysqlUser     = "timescape";
    $mysqlPassword = "ducati748";
    $mysqlDatabase = "timescape";
    $mysqlTable    = "german";

    $changelogFile = "./logs/changes.txt";
    $changelogSize = 1000;

    // oputput messages ---------------------------------------------------
    $errorConnect     = 'Unable to connect to database server.';
    $errorConnectdb   = 'Unable to use the database.';
    $errorQuery       = 'Error while accessing the database. It may be corrupted.';
    $errorIdentity    = 'Error while establishing your identity.';

    $errorNoPassword  = 'The Password field may not be empty. ';
    $errorPasswords   = 'The passwords submitted do not match. ';
    $errorPassLength  = 'The password must be between 6 and 10 characters long.';
    $errorNoFirstName = 'First Name is required. ';
    $errorNoSurname   = 'Surname is required. ';

    $retrieveOk       = 'Data successfully retrieved';
    $changesApplied   = 'All changes were successfully applied';

    // Append the Log File ------------------------------------------------
    function appendChangeLog($action)
    {
        global $changelogFile, $changelogSize, $inputUser, $HTTP_SERVER_VARS;
        $userIP    = $HTTP_SERVER_VARS['REMOTE_ADDR'];
        $timeStamp = date("Y-m-d,H:i:s");
        $logEntry  = "$userIP,$inputUser,$timeStamp,$action\r\n";

        if ((@file_exists($changelogFile)) && (@filesize($changelogFile)<$changelogSize))
            $fp = @fopen($changelogFile, "a");
        else
            $fp = @fopen($changelogFile, "w");
        if ($fp != false)
        {
            @flock($fp, LOCK_EX);
            @fwrite($fp, $logEntry);
            @fclose($fp);
        }
    }

    // retrieve session variables if they exist ---------------------------
    session_start();
    $inputUser  = isset($HTTP_SESSION_VARS['inputUser']) ? $HTTP_SESSION_VARS['inputUser'] : "";
    $inputPass  = isset($HTTP_SESSION_VARS['inputPass']) ? $HTTP_SESSION_VARS['inputPass'] : "";

    $username  = "";
    $password  = "";
    $firstname = "";
    $surname   = "";
    $email     = "";
    $company   = "";
    $address   = "";
    $telephone = "";
    $action    = "";

    // verify sent username versus username stored upon login -------------
    if (!isset($HTTP_GET_VARS['username']))
    {
        echo "&update=false&message=$errorIdentity&";
        exit;
    }
    elseif ($HTTP_GET_VARS['username'] != $inputUser)
    {
        echo "&update=false&message=$errorIdentity&";
        exit;
    }
    else
        $username = $HTTP_GET_VARS['username'];

   // should we change the details or just retrieve them? -----------------
   if (isset($HTTP_GET_VARS['action']))
       if ($HTTP_GET_VARS['action'] == "apply")
           $action = "apply";
       else $action = "read";
   else
       $action = "read";

   // retrieve new user values if they were submitted previously ----------
   if ( $action == "apply")
   {
        // verify passwords -----------------------------------------------
        if ((!isset($HTTP_GET_VARS['password1'])) || (!isset($HTTP_GET_VARS['password2'])))
        {
            echo "&update=false&message=$errorNoPassword&";
            exit;
        }
        elseif ($HTTP_GET_VARS['password1'] != $HTTP_GET_VARS['password2'])
        {
            echo "&update=false&message=$errorPasswords&";
            exit;
        }
        elseif ((strlen($HTTP_GET_VARS['password1'])<6) || (strlen($HTTP_GET_VARS['password1'])>10))
        {
            echo "&update=false&message=$errorPassLength&";
            exit;
        }
        else
            $password = $HTTP_GET_VARS['password1'];

        // verify first name ----------------------------------------------
        if ((!isset($HTTP_GET_VARS['firstname'])) || (strlen($HTTP_GET_VARS['firstname'])<1))
        {
            echo "&update=false&message=$errorNoFirstName&";
            exit;
        }
        else
            $firstname = $HTTP_GET_VARS['firstname'];

        //verify surname --------------------------------------------------
        if ((!isset($HTTP_GET_VARS['surname'])) || (strlen($HTTP_GET_VARS['surname'])<1))
        {
            echo "&update=false&message=$errorNoSurname&";
            exit;
        }
        else
            $surname = $HTTP_GET_VARS['surname'];

        // set optional fields --------------------------------------------
        if (isset($HTTP_GET_VARS['email']))
            $email = $HTTP_GET_VARS['email'];

        if (isset($HTTP_GET_VARS['company']))
            $company = $HTTP_GET_VARS['company'];

        if (isset($HTTP_GET_VARS['address']))
            $address = $HTTP_GET_VARS['address'];

        if (isset($HTTP_GET_VARS['telephone']))
            $telephone = $HTTP_GET_VARS['telephone'];
    }

    // MySQL queries ------------------------------------------------------
    $retrieveQuery = "SELECT
                      username,
                      password,
                      firstname,
                      surname,
                      email,
                      company,
                      address,
                      telephone
                      FROM $mysqlTable
                      WHERE username='$inputUser'";

    $updateQuery   = "UPDATE $mysqlTable
                      SET password  = '$password',
                          firstname = '$firstname',
                          surname   = '$surname',
                          email     = '$email',
                          company   = '$company',
                          address   = '$address',
                          telephone = '$telephone'
                      WHERE username= '$inputUser'";

    // connect to databse -------------------------------------------------
    $dblink = @mysql_connect($mysqlServer, $mysqlUser, $mysqlPassword);
    if ($dblink == false)
    {
        echo "&update=false&message=$errorConnect&";
        exit;
    }
    if (@mysql_select_db($mysqlDatabase) == false)
    {
        echo "&update=false&message=$errorConnectdb&";
        exit;
    }
    // new details were submitted, we must update -------------------------
    if ($action == "apply")
    {
        $resultQuery = @mysql_query($updateQuery);
        if ($resultQuery == false)
        {
            echo "&update=false&message=$errorQuery&";
            exit;
        }
    }
    // read (old or new) data ---------------------------------------------
    $resultQuery = @mysql_query($retrieveQuery);
    if ($resultQuery == false)
    {
        echo "&update=false&message=$errorQuery&";
        exit;
    }

    $numberOfUsers = mysql_num_rows($resultQuery);
    if ($numberOfUsers != 1)
    {
        echo "&update=false&message=$errorQuery&";
        exit;
    }

    $row = mysql_fetch_array($resultQuery);
    $username  = isset($row['username'])  ? rawurlencode($row['username'])  : "";
    $password  = isset($row['password'])  ? rawurlencode($row['password'])  : "";
    $firstname = isset($row['firstname']) ? rawurlencode($row['firstname']) : "";
    $surname   = isset($row['surname'])   ? rawurlencode($row['surname'])   : "";
    $email     = isset($row['email'])     ? rawurlencode($row['email'] )    : "";
    $company   = isset($row['company'])   ? rawurlencode($row['company'])   : "";
    $address   = isset($row['address'])   ? rawurlencode($row['address'])   : "";
    $telephone = isset($row['telephone']) ? rawurlencode($row['telephone']) : "";

    // Output data --------------------------------------------------------
    $output  = "&update=true&\n";
    if ($action == "apply")
    {
        $inputPass = $password;
        $HTTP_SESSION_VARS['inputPass'] = $inputPass;
        session_register('inputPass');

        $output .= "&message=$changesApplied&\n";
        $output .= "&changed=true&\n";

        appendChangeLog("changed personal data");
    }
    else
    {
        $output .= "&message=$retrieveOk&\n";
        $output .= "&changed=false&\n";
    }
    $output .= "&username=$username&\n";
    $output .= "&password1=$password&\n";
    $output .= "&password2=$password&\n";
    $output .= "&firstname=$firstname&\n";
    $output .= "&surname=$surname&\n";
    $output .= "&email=$email&\n";
    $output .= "&company=$company&\n";
    $output .= "&address=$address&\n";
    $output .= "&telephone=$telephone&";
    echo $output;
?>